cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1407
Views
0
Helpful
2
Replies

Cisco 2811 problem with L2TP IPsec VPN

dvecherkin1
Level 1
Level 1

Hello. Sorry for my English. Help me please. I have problem with L2TP over IPsec VPN when I connect with Android phones. Though I am connect with laptops. I have Cisco 2811 -  Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(2)T2, RELEASE SOFTWARE (fc3). I configured on it L2TP over IPsec VPN with Radius authentification  

My config:

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local group radius
aaa authorization network default if-authenticated
aaa accounting network L2TP_RADIUS start-stop group radius

!
ip dhcp pool L2tp
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
domain-name domain.local
dns-server 192.168.101.12
option 121 hex 18c0.a865.c0a8.6401
option 249 hex 18c0.a865.c0a8.6401

vpdn enable
!
vpdn-group sec_groupe
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication

crypto logging session
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 55
encr 3des
hash md5
authentication pre-share
group 2

crypto isakmp key .................. address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
crypto ipsec security-association lifetime seconds 28000
!
crypto ipsec transform-set L2TP esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac
mode transport require
!

!
!
crypto dynamic-map DYN-MAP 10
set nat demux
set transform-set L2TP
!
!
crypto map L2TP-VPN 10 ipsec-isakmp dynamic DYN-MAP

interface Loopback1
description *** L2TP GateWay ***
ip address 192.168.100.1 255.255.255.255

interface FastEthernet0/0
description *** TO INTERNET ***
ip address 95.6.............. 255.255.255.248
ip access-group allow-in-from-wan in
ip access-group allow-out-from-wan out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache policy
duplex auto
speed auto
crypto map L2TP-VPN
!

interface Virtual-Template1
description *** PPTP ***
ip unnumbered Loopback1
ip access-group L2TP_VPN_IN in
autodetect encapsulation ppp
peer default ip address dhcp-pool L2tp
no keepalive
ppp mtu adaptive
ppp encrypt mppe auto
ppp authentication ms-chap-v2 callin
ppp accounting L2TP_RADIUS

ip access-list extended L2TP_VPN_IN
permit icmp any any echo
permit ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 192.168.3.0 0.0.0.255
permit udp any any eq bootps
permit udp any any eq bootpc
deny ip any any log-input

radius-server host 192.168.101.15 auth-port 1812 acct-port 1813
radius-server retry method reorder
radius-server retransmit 2
radius-server key 7 ......................................

Debug shows me 


234195: *Feb 3 18:53:38: ISAKMP (0:0): received packet from 93.73.161.229 dport 500 sport 500 Global (N) NEW SA
234196: *Feb 3 18:53:38: ISAKMP: Created a peer struct for 93.73.161.229, peer port 500
234197: *Feb 3 18:53:38: ISAKMP: New peer created peer = 0x47D305BC peer_handle = 0x80007C5F
234198: *Feb 3 18:53:38: ISAKMP: Locking peer struct 0x47D305BC, refcount 1 for crypto_isakmp_process_block
234199: *Feb 3 18:53:38: ISAKMP: local port 500, remote port 500
234200: *Feb 3 18:53:38: insert sa successfully sa = 480CFF64
234201: *Feb 3 18:53:38: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234202: *Feb 3 18:53:38: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
234203: *Feb 3 18:53:38: ISAKMP:(0): processing SA payload. message ID = 0
234204: *Feb 3 18:53:38: ISAKMP:(0): processing vendor id payload
234205: *Feb 3 18:53:38: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
234206: *Feb 3 18:53:38: ISAKMP:(0): processing vendor id payload
234207: *Feb 3 18:53:38: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
234208: *Feb 3 18:53:38: ISAKMP:(0): processing vendor id payload
234209: *Feb 3 18:53:38: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
234210: *Feb 3 18:53:38: ISAKMP:(0): vendor ID is NAT-T v2
234211: *Feb 3 18:53:38: ISAKMP:(0): processing vendor id payload
234212: *Feb 3 18:53:38: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
234213: *Feb 3 18:53:38: ISAKMP:(0): processing vendor id payload
234214: *Feb 3 18:53:38: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
234215: *Feb 3 18:53:38: ISAKMP:(0): processing vendor id payload
234216: *Feb 3 18:53:38: ISAKMP:(0): vendor ID is DPD
234217: *Feb 3 18:53:38: ISAKMP:(0):Looking for a matching key for 93.73.161.229 in default
234218: *Feb 3 18:53:38: ISAKMP:(0): : success
234219: *Feb 3 18:53:38: ISAKMP:(0):found peer pre-shared key matching 93.73.161.229
234220: *Feb 3 18:53:38: ISAKMP:(0): local preshared key found
234221: *Feb 3 18:53:38: ISAKMP : Scanning profiles for xauth ...
234222: *Feb 3 18:53:38: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
234223: *Feb 3 18:53:38: ISAKMP: life type in seconds
234224: *Feb 3 18:53:38: ISAKMP: life duration (basic) of 28800
234225: *Feb 3 18:53:38: ISAKMP: encryption 3DES-CBC
234226: *Feb 3 18:53:38: ISAKMP: auth pre-share
234227: *Feb 3 18:53:38: ISAKMP: hash SHA
234228: *Feb 3 18:53:38: ISAKMP: default group 2
234229: *Feb 3 18:53:38: ISAKMP:(0):atts are acceptable. Next payload is 3
234230: *Feb 3 18:53:38: ISAKMP:(0): processing vendor id payload
234231: *Feb 3 18:53:38: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
234232: *Feb 3 18:53:38: ISAKMP:(0): processing vendor id payload
234233: *Feb 3 18:53:38: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
234234: *Feb 3 18:53:38: ISAKMP:(0): processing vendor id payload
234235: *Feb 3 18:53:38: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
234236: *Feb 3 18:53:38: ISAKMP:(0): vendor ID is NAT-T v2
234237: *Feb 3 18:53:38: ISAKMP:(0): processing vendor id payload
234238: *Feb 3 18:53:38: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
234239: *Feb 3 18:53:38: ISAKMP:(0): processing vendor id payload
234240: *Feb 3 18:53:38: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
234241: *Feb 3 18:53:38: ISAKMP:(0): processing vendor id payload
234242: *Feb 3 18:53:38: ISAKMP:(0): vendor ID is DPD
234243: *Feb 3 18:53:38: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234244: *Feb 3 18:53:38: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

234245: *Feb 3 18:53:38: ISAKMP:(0): constructed NAT-T vendor-02 ID
234246: *Feb 3 18:53:38: ISAKMP:(0): sending packet to 93.73.161.229 my_port 500 peer_port 500 (R) MM_SA_SETUP
234247: *Feb 3 18:53:38: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234248: *Feb 3 18:53:38: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

234249: *Feb 3 18:53:38: ISAKMP (0:0): received packet from 93.73.161.229 dport 500 sport 500 Global (R) MM_SA_SETUP
234250: *Feb 3 18:53:38: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234251: *Feb 3 18:53:38: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

234252: *Feb 3 18:53:38: ISAKMP:(0): processing KE payload. message ID = 0
234253: *Feb 3 18:53:38: crypto_engine: Create DH shared secret
234254: *Feb 3 18:53:38: CryptoEngine0: CRYPTO_ISA_DH_SHARE_SECRET(hw)(ipsec)
234255: *Feb 3 18:53:38: ISAKMP:(0): processing NONCE payload. message ID = 0
234256: *Feb 3 18:53:38: ISAKMP:(0):Looking for a matching key for 93.73.161.229 in default
234257: *Feb 3 18:53:38: ISAKMP:(0): : success
234258: *Feb 3 18:53:38: ISAKMP:(0):found peer pre-shared key matching 93.73.161.229
234259: *Feb 3 18:53:38: crypto_engine: Create IKE SA
234260: *Feb 3 18:53:38: CryptoEngine0: CRYPTO_ISA_SA_CREATE(hw)(ipsec)
234261: *Feb 3 18:53:38: ISAKMP:received payload type 20
234262: *Feb 3 18:53:38: ISAKMP:received payload type 20
234263: *Feb 3 18:53:38: ISAKMP (0:5912): NAT found, the node outside NAT
234264: *Feb 3 18:53:38: ISAKMP:(5912):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234265: *Feb 3 18:53:38: ISAKMP:(5912):Old State = IKE_R_MM3 New State = IKE_R_MM3

234266: *Feb 3 18:53:38: ISAKMP:(5912): sending packet to 93.73.161.229 my_port 500 peer_port 500 (R) MM_KEY_EXCH
234267: *Feb 3 18:53:38: ISAKMP:(5912):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234268: *Feb 3 18:53:38: ISAKMP:(5912):Old State = IKE_R_MM3 New State = IKE_R_MM4

234269: *Feb 3 18:53:38: ISAKMP (0:5912): received packet from 93.73.161.229 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
234270: *Feb 3 18:53:38: crypto_engine: Decrypt IKE packet
234271: *Feb 3 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT(hw)(ipsec)
234272: *Feb 3 18:53:38: ISAKMP:(5912):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234273: *Feb 3 18:53:38: ISAKMP:(5912):Old State = IKE_R_MM4 New State = IKE_R_MM5

234274: *Feb 3 18:53:38: ISAKMP:(5912): processing ID payload. message ID = 0
234275: *Feb 3 18:53:38: ISAKMP (0:5912): ID payload
next-payload : 8
type : 1
address : 192.168.1.218
protocol : 17
port : 500
length : 12
234276: *Feb 3 18:53:38: ISAKMP:(5912):: peer matches *none* of the profiles
234277: *Feb 3 18:53:38: ISAKMP:(5912): processing HASH payload. message ID = 0
234278: *Feb 3 18:53:38: crypto_engine: Generate IKE hash
234279: *Feb 3 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)
234280: *Feb 3 18:53:38: ISAKMP:(5912):SA authentication status:
authenticated
234281: *Feb 3 18:53:38: ISAKMP:(5912):SA has been authenticated with 93.73.161.229
234282: *Feb 3 18:53:38: ISAKMP:(5912):Detected port floating to port = 4500
234283: *Feb 3 18:53:38: ISAKMP: Trying to insert a peer 95.6......./93.73.161.229/4500/, and inserted successfully 47D305BC.
234284: *Feb 3 18:53:38: ISAKMP:(5912):IKE_DPD is enabled, initializing timers
234285: *Feb 3 18:53:38: ISAKMP:(5912):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234286: *Feb 3 18:53:38: ISAKMP:(5912):Old State = IKE_R_MM5 New State = IKE_R_MM5

234287: *Feb 3 18:53:38: ISAKMP:(5912):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
234288: *Feb 3 18:53:38: ISAKMP (0:5912): ID payload
next-payload : 8
type : 1
address : 95.6.......
protocol : 17
port : 0
length : 12
234289: *Feb 3 18:53:38: ISAKMP:(5912):Total payload length: 12
234290: *Feb 3 18:53:38: crypto_engine: Generate IKE hash
234291: *Feb 3 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)
234292: *Feb 3 18:53:38: crypto_engine: Encrypt IKE packet
routerindc#
234293: *Feb 3 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)
234294: *Feb 3 18:53:38: ISAKMP:(5912): sending packet to 93.73.161.229 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
234295: *Feb 3 18:53:38: ISAKMP:(5912):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234296: *Feb 3 18:53:38: ISAKMP:(5912):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

234297: *Feb 3 18:53:38: ISAKMP:(5912):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
234298: *Feb 3 18:53:38: ISAKMP:(5912):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

234299: *Feb 3 18:53:38: ISAKMP (0:5912): received packet from 93.73.161.229 dport 4500 sport 4500 Global (R) QM_IDLE
234300: *Feb 3 18:53:38: ISAKMP: set new node -893966165 to QM_IDLE
234301: *Feb 3 18:53:38: crypto_engine: Decrypt IKE packet
234302: *Feb 3 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT(hw)(ipsec)
234303: *Feb 3 18:53:38: crypto_engine: Generate IKE hash
234304: *Feb 3 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)
234305: *Feb 3 18:53:38: ISAKMP:(5912): processing HASH payload. message ID = -893966165
234306: *Feb 3 18:53:38: ISAKMP:(5912): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = -893966165, sa = 480CFF64
234307: *Feb 3 18:53:38: ISAKMP:(5912):SA authentication status:
authenticated
234308: *Feb 3 18:53:38: ISAKMP:(5912): Process initial contact,
bring down existing phase 1 and 2 SA's with local 95.6....... remote 93.73.161.229 remote port 4500
234309: *Feb 3 18:53:38: ISAKMP:(5912):deleting node -893966165 error FALSE reason "Informational (in) state 1"
234310: *Feb 3 18:53:38: ISAKMP:(5912):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
234311: *Feb 3 18:53:38: ISAKMP:(5912):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

234312: *Feb 3 18:53:38: IPSEC(key_engine): got a queue event with 1 KMI message(s)
234313: *Feb 3 18:53:39: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 150 packets
234314: *Feb 3 18:53:39: ISAKMP (0:5912): received packet from 93.73.161.229 dport 4500 sport 4500 Global (R) QM_IDLE
234315: *Feb 3 18:53:39: ISAKMP: set new node -1224389198 to QM_IDLE
234316: *Feb 3 18:53:39: crypto_engine: Decrypt IKE packet
234317: *Feb 3 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT(hw)(ipsec)
234318: *Feb 3 18:53:39: crypto_engine: Generate IKE hash
234319: *Feb 3 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)
234320: *Feb 3 18:53:39: ISAKMP:(5912): processing HASH payload. message ID = -1224389198
234321: *Feb 3 18:53:39: ISAKMP:(5912): processing SA payload. message ID = -1224389198
234322: *Feb 3 18:53:39: ISAKMP:(5912):Checking IPSec proposal 1
234323: *Feb 3 18:53:39: ISAKMP: transform 1, ESP_3DES
234324: *Feb 3 18:53:39: ISAKMP: attributes in transform:
234325: *Feb 3 18:53:39: ISAKMP: SA life type in seconds
234326: *Feb 3 18:53:39: ISAKMP: SA life duration (basic) of 28800
234327: *Feb 3 18:53:39: ISAKMP: encaps is 61444 (Transport-UDP)
234328: *Feb 3 18:53:39: ISAKMP: authenticator is HMAC-SHA
234329: *Feb 3 18:53:39: CryptoEngine0: validate proposal
234330: *Feb 3 18:53:39: ISAKMP:(5912):atts are acceptable.
234331: *Feb 3 18:53:39: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 95.6......., remote= 93.73.161.229,
local_proxy= 95.6......./255.255.255.255/17/1701 (type=1),
remote_proxy= 93.73.161.229/255.255.255.255/17/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
234332: *Feb 3 18:53:39: map_db_find_best did not find matching map
234333: *Feb 3 18:53:39: ISAKMP:(5912): processing NONCE payload. message ID = -1224389198
234334: *Feb 3 18:53:39: ISAKMP:(5912): processing ID payload. message ID = -1224389198
234335: *Feb 3 18:53:39: ISAKMP:(5912): processing ID payload. message ID = -1224389198
234336: *Feb 3 18:53:39: ISAKMP:(5912): asking for 1 spis from ipsec
234337: *Feb 3 18:53:39: ISAKMP:(5912):Node -1224389198, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234338: *Feb 3 18:53:39: ISAKMP:(5912):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
234339: *Feb 3 18:53:39: IPSEC(key_engine): got a queue event with 1 KMI message(s)
234340: *Feb 3 18:53:39: IPSEC(spi_response): getting spi 834762579 for SA
from 95.6....... to 93.73.161.229 for prot 3
234341: *Feb 3 18:53:39: crypto_engine: Generate IKE hash
234342: *Feb 3 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)
234343: *Feb 3 18:53:39: crypto_engine: Create IPSec SA (by QM)
routerindc#
234344: *Feb 3 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE(hw)(ipsec)
234345: *Feb 3 18:53:39: crypto_engine: Create IPSec SA (by QM)
234346: *Feb 3 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE(hw)(ipsec)
234347: *Feb 3 18:53:39: ISAKMP:(5912): Creating IPSec SAs
234348: *Feb 3 18:53:39: inbound SA from 93.73.161.229 to 95.6....... (f/i) 0/ 0
(proxy 93.73.161.229 to 95.6.......)
234349: *Feb 3 18:53:39: has spi 0x31C17753 and conn_id 0
234350: *Feb 3 18:53:39: lifetime of 28800 seconds
234351: *Feb 3 18:53:39: outbound SA from 95.6....... to 93.73.161.229 (f/i) 0/0
(proxy 95.6....... to 93.73.161.229)
234352: *Feb 3 18:53:39: has spi 0x495A4BD and conn_id 0
234353: *Feb 3 18:53:39: lifetime of 28800 seconds
234354: *Feb 3 18:53:39: crypto_engine: Encrypt IKE packet
234355: *Feb 3 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)
234356: *Feb 3 18:53:39: IPSEC(key_engine): got a queue event with 1 KMI message(s)
234357: *Feb 3 18:53:39: map_db_find_best did not find matching map
234358: *Feb 3 18:53:39: IPSec: Flow_switching Allocated flow for sibling 80000273
234359: *Feb 3 18:53:39: IPSEC(policy_db_add_ident): src 95.6......., dest 93.73.161.229, dest_port 4500

234360: *Feb 3 18:53:39: IPSEC(create_sa): sa created,
(sa) sa_dest= 95.6......., sa_proto= 50,
sa_spi= 0x31C17753(834762579),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 1165
234361: *Feb 3 18:53:39: IPSEC(create_sa): sa created,
(sa) sa_dest= 93.73.161.229, sa_proto= 50,
sa_spi= 0x495A4BD(76915901),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 1166
234362: *Feb 3 18:53:39: ISAKMP:(5912): sending packet to 93.73.161.229 my_port 4500 peer_port 4500 (R) QM_IDLE
234363: *Feb 3 18:53:39: ISAKMP:(5912):Node -1224389198, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
234364: *Feb 3 18:53:39: ISAKMP:(5912):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
234365: *Feb 3 18:53:39: ISAKMP (0:5912): received packet from 93.73.161.229 dport 4500 sport 4500 Global (R) QM_IDLE
234366: *Feb 3 18:53:39: crypto_engine: Decrypt IKE packet
234367: *Feb 3 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT(hw)(ipsec)
234368: *Feb 3 18:53:39: crypto_engine: Generate IKE hash
234369: *Feb 3 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)
routerindc#
234370: *Feb 3 18:53:39: ISAKMP:(5912):deleting node -1224389198 error FALSE reason "QM done (await)"
234371: *Feb 3 18:53:39: ISAKMP:(5912):Node -1224389198, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234372: *Feb 3 18:53:39: ISAKMP:(5912):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
234373: *Feb 3 18:53:39: IPSEC(key_engine): got a queue event with 1 KMI message(s)
234374: *Feb 3 18:53:39: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
234375: *Feb 3 18:53:39: IPSEC(key_engine_enable_outbound): enable SA with spi 76915901/50
234376: *Feb 3 18:53:40: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
routerindc#
234377: *Feb 3 18:53:42: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
routerindc#
234378: *Feb 3 18:53:44: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

Also when I connect with phone I see Active SA and IPsec tunnel is up, but then through time tunnel is down and phone doesn't connect.

I hope you will help me. Thanks.

1 Accepted Solution

Accepted Solutions

rvarelac
Level 7
Level 7

Hi dvecherkin1

Which IOS are you running, you might be hitting the following defect.

https://tools.cisco.com/bugsearch/bug/CSCsg34166/?reffering_site=dumpcr

Hope it helps

-Randy-

Please rate helpful post to help other users to find the answer quickly. 

View solution in original post

2 Replies 2

rvarelac
Level 7
Level 7

Hi dvecherkin1

Which IOS are you running, you might be hitting the following defect.

https://tools.cisco.com/bugsearch/bug/CSCsg34166/?reffering_site=dumpcr

Hope it helps

-Randy-

Please rate helpful post to help other users to find the answer quickly. 

rvarelac, thank you. I guessed, but I couldn't found anywhere it. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: